Saw your presentation at JNUC and thought id take a crack at teams notification as its what's used for my company. Added a few lines to allow for teams web hook notification. Thought you would be interested. Code for decode is after the # Final Decoder checks for password rotation# as I wanted to include the time frame the account would be reset in the notification. Decoder also wasn't pasting the code to the clipboard so added that as well.

Create:Cycle.txt
Decoder.txt

@PezzaD84
I have had possibly two unrelated issues in relation to the Secret and CryptKey extension attributes and your scripts.

Firstly your documentation suggests using extension attribute names containing spaces i.e. "LAPS Secret". Whilst Jamf Pro itself is ok with that, trying to write my own shell scripts to access them is very, very hard. Clearly you encountered this yourself as your 'workaround' was to use a grep filter to 'find' the extension attribute by searching for the last half of the name, i.e. ignoring the space.

I have therefore for my own requirements used LAPS_Secret i.e. replacing the space with an underline in each of the two extension attributes. I am inclined to believe this is not the current cause of the problem.

What I believe to be the actual cause is that Jamf Pro has recently been upgraded to version 11.0.1 from 10.x. I suspect this is causing the result to return the value of the extension attributes not in 'field 16' but field 15 as your command of

grep -i CryptKey | tr '"' ' ' | awk '{print $16}'}

If I change this to print $15 it 'fixes' my problem.

Hi @PezzaD84,

I am piloting this solution. LAPS account is created successfully and password decode is working as expected however I am unable to authenticate/login using LAPS account.

So i am seeing a problem with the encoded credentials working consistently. sometimes it does not read the encoded credentials and return a token. other it does. it seems to work better on the creat script than the decode script because that is having difficulty getting a token. if i send a direct username and password it all works unencrypted that is.

Getting the following logs while try to create LAPS Admin. Could you please help @PezzaD84

Script result: Error checking any previous configuration.....
Log found. Checking for previous failures.....
No previous failures detected. Continuing LAPS Configuration.....
Log already exists. Continuing setup.....

============ LAPS Account cycled 19/12/2023 15:35:49 ============

Password length has been set to 10 characters
A Special character has been set in the password
eximpe-admin does not exist. Creating local admin now
2023-12-19 15:35:50.243 sysadminctl[45965:953412] ----------------------------
2023-12-19 15:35:50.244 sysadminctl[45965:953412] No clear text password or interactive option was specified (adduser, change/reset password will not allow user to use FDE) !
2023-12-19 15:35:50.245 sysadminctl[45965:953412] ----------------------------
2023-12-19 15:35:50.256 sysadminctl[45965:953412] New account password error. (5402)
/Library/Application Support/JAMF/tmp/laps create account: line 264: /Users/eximpe-admin/Library/Preferences/com.apple.SetupAssistant.plist: No such file or directory
chown: eximpe-admin: illegal user name
chmod: /Users/eximpe-admin/Library/Preferences/com.apple.SetupAssistant.plist: No such file or directory

Device serial is C02X305FJG5H
JAMF ID is 2
LAPS Configuration was successful
No slack URL configured
No Teams Webhook configured
LAPS Launch Daemon found. Removing old Launch Daemon.
Launch Daemon removed.

@PezzaD84
I have recently joined an organisation with existing Macs and Jamf and currently existing local admin accounts all using the same password.

I am looking to implement your macOSLAPS solution and would like to use it to take over the existing local admin accounts. As they currently all have the same password it would in theory be possible to do either of the following.

1. Have your script(s) use a (known) default password if the user account already exists and then randomise it
2. Have your script(s) default to doing a password reset for an existing account

It would seem that the first option would be preferable however it looks like your current setup is not geared up for this.

Clearly I could as per your documentation create a new (additional) local admin account but that is not desirable either. Do you have an existing approach for this or would it be possible to add a new additional option to allow this?

Note: As we are using Jamf Connect it would be responsible for creating the local admin account initially so it would exist before your script gets a chance to create it. It is potentially possible that the initial password as created via Jamf Connect would not be a specific chosen password but the FileVault Personal Recovery Key which Jamf Connect would have enabled and as per (other) Jamf settings escrowed to Jamf. It is possible to read this recovery key via the Jamf API so you could also potentially build this capability in. See - https://travellingtechguy.blog/jamf-connect-and-laps/

Here is a cleaner way of adding the Setup Assistent suppress plist. This way there is no need to set file permission.
I also added DidSeeAccessibility, DidSeeAppearanceSetup and DidSeePrivacy.

# Create Setup Assistant suppress plist setup_assistant_file="/Users/$4/Library/Preferences/com.apple.SetupAssistant.plist" sudo -u $4 defaults write "$setup_assistant_file" DidSeeAccessibility -bool true sudo -u $4 defaults write "$setup_assistant_file" DidSeeAppearanceSetup -bool true sudo -u $4 defaults write "$setup_assistant_file" DidSeeAvatarSetup -bool true sudo -u $4 defaults write "$setup_assistant_file" DidSeeCloudSetup -bool true sudo -u $4 defaults write "$setup_assistant_file" DidSeePrivacy -bool true sudo -u $4 defaults write "$setup_assistant_file" DidSeeSiriSetup -bool true sudo -u $4 defaults write "$setup_assistant_file" DidSeeSyncSetup -bool true sudo -u $4 defaults write "$setup_assistant_file" DidSeeSyncSetup2 -bool true sudo -u $4 defaults write "$setup_assistant_file" DidSeeTouchIDSetup -bool true sudo -u $4 defaults write "$setup_assistant_file" DidSeeiCloudLoginForStorageServices -bool true sudo -u $4 defaults write "$setup_assistant_file" DidSeeiCloudSecuritySetup -bool true sudo -u $4 defaults write "$setup_assistant_file" GestureMovieSeen -bool true sudo -u $4 defaults write "$setup_assistant_file" LastSeenBuddyBuildVersion -string "21C52" sudo -u $4 defaults write "$setup_assistant_file" LastSeenCloudProductVersion -string "12.2.1"

where can I find the prescript for Jamf to delete the existing account and overwrite it with a LAPS admin account.

Thanks!

where do I find my Encrypted API credentials exactly?
no matter what I give in the parameter there, it doesn't work

Do you know what privileges are required for the account that is going to do the API calls?

Good afternoon

I have configured your LAPS and have it tested on a total of 5 computers. I have confirmed that all of them work without an issue. I have another MAC I am trying to install and get working but every time I run the command it successfully installs the program but it fails to send the cryptkey and secrectkey to JAMF. It is currently on Big Sur and can not be upgraded any further due to its age. Any insight is appreciated.

Everything working great on v3

Terminal login and su works great

Cannot login at the login window to LAPSadmin, in Jamf Connect Login it freezes, at Mac OS default login it spins forever

Hello,
can you explain or make a readme "What is to do for updating to a newer version?"?
I tryed to set the new scripts, but then I get failures.
Best regards,
snowwalker1988

          @PezzaD84 

It is possible to change the Login keychain via a terminal/script command

security set-keychain-password -o oldpassword -p newpassword
or
security set-keychain-password -o oldpassword -p newpassword path-to-keychain

However I get the impression that the dreaded local items keychain cannot be manipulated at all at least by the same security command. As I am sure you are aware the Login keychain is at

~/Library/Keychains/login.keychain.db

and the local items keychain is at

~/Library/Keychains/[UUID]/keychain-2.db.*

It would be preferable to preserve this keychain but for the LAPS account it is les important than a user account so if needed just deleting the local items keychain sub-folder would be ok.

It could be Apple have changed things in new macOS versions but previously I used the LAPS solution here - https://github.com/NU-ITS/LAPSforMac

When I last used it I do not recall it causing any keychain problems. It would therefore be worth having a look at its script. Be aware its code for reading and modifying its extension attribute is out of date, as an example its xpath command needs changing on Big Sur and later. You only need to look really at its code for changing the user/keychain passwords and see if it works better.

Originally posted by @jelockwood in #6 (comment)

Hi all,
I'm fairly certain that I'm doing something wrong here.
I've done everything per the documentation (or so I think) and am able to get the UI to appear. I submit either a serial or valid FQDN/hostname of a Mac in Jamf and make sure the dropdown at the bottom is correct, and get the following message in return.

What should I check?

EDIT: Doing more research and it looks like this won't work on Macs that "don't know" they are being LAPS-managed.
Our local admin account is provisioned through prestage, and I'm getting the feeling that a prestage local admin and LAPS cannot coexist. Or maybe I have this completely misunderstood.

@PezzaD84
I must confess I am slightly confused about which is which in terms of LAPS CryptKey and LAPS Secret.

Which contains the encrypted LAPS password?
Which contains the key used to decrypt the encrypted LAPS password?

Looking at your scripts implies LAPS Secret contains the encryption key and LAPS CryptKey contains the encrypted local admin password but their names would imply the opposite.

Hi, the extension attribute LAPS Last Decoded Date remains empty even after decoding. Ideas for a solution? Thanks for your efforts!

Code:
!/bin/bash

LAPSLOG="/Library/.LAPS/Logs/LAPS.log"

LAST_LAPS_DECODED=$(grep "LAPS Decoded" $LAPSLOG | tail -1 | awk '{print $4,$5}')

echo "$LAST_LAPS_DECODED"

Logfile: "..." the dots are used to blacken

***** LAPS Decode 10/08/2023 03:09:29
SwiftDialog is installed. Checking installed version.....
Dialog is up to date. Continuing to assemble....
The LAPS Password for ... was viewed by paul... on ....
Reason for viewing password: test
Password rotation has been set to 15 Minutes. LAPS Password for ... will be reset at 03:25.
***** LAPS Decode 10/08/2023 03:25:05
SwiftDialog is installed. Checking installed version.....
Dialog is up to date. Continuing to assemble....
***** LAPS Account cycled 10/08/2023 03:25:09
Password length has been set to 14 characters
A Special character has been set in the password
... has already been created and is a local admin. Resetting local admin password....
Password validated
The LAPS Password for ... was viewed by ... on ...
Reason for viewing password: ja
Password rotation has been set to 15 Minutes. LAPS Password for ... will be reset at 03:40.
***** LAPS Account cycled 10/08/2023 03:40:11
Password length has been set to 14 characters
A Special character has been set in the password
... has already been created and is a local admin. Resetting local admin password....
Password validated
CryptKey and SecretKey Escrowed to Jamf successfully
Device serial is ...
JAMF ID is 27
LAPS Configuration was successful
LAPS Launch Daemon found. Removing old Launch Daemon.
Launch Daemon removed. Completing rotation...

@PezzaD84
As far as I can see your macOSLAPS solution like some others stores the LAPS password in Jamf in an encrypted form. Arguably this is a good idea.

I have previously used https://github.com/NU-ITS/LAPSforMac which stores it as a plain text extension attribute. You do of course have to be a Jamf Pro admin to view it and the script does encrypt stuff when talking to Jamf.

I mention this because I am currently looking at another Mac admin requirement which is to automatically authorise installing macOS upgrades on Apple Silicon Macs and the MDM command is simply too unreliable so I will need to access and use a local admin credential. The goal is to avoid having the user themselves authorise this as too many will not bother to do this.

This would be easiest it seems by reading an extension attribute as plain text. See https://learn.jamf.com/bundle/jamf-pro-documentation-current/page/Computer_Extension_Attributes.html

One could then pass the script a script parameter like the following -

--admin-password=$EXTENSIONATTRIBUTE_5

where 5 is the number ID of the extension attribute, different setups will use a different number of course.

I would tend to suspect that it would not be feasible to use a script parameter that needs to decode the content of an extension attribute. I would presume it is not possible to embed script commands in a script parameter field.

What is your view on this? Any suggestions on how to solve this?

FYI - the other script I am planning to use for the macOS upgrades is Super

If you have no other suggestions, would you be open to adding an additional optional extension attribute to store it in plain text form?

hey there, this is overwriting the current version of swiftDialog I have installed each time, can it be removed from the package and built into the script to check for the latest?

Hi @PezzaD84
I hope you're doing well. I've been using macLAPS, and it's been great so far. I appreciate all your hard work! I've noticed that the password isn't automatically copied to the clipboard. Is there something I might be doing wrong, and is there a way I can fix it? Thanks a bunch!

Is there a solution to automate the created user to be authorized as a filevault user, it doesnt create the token for the admin user until it logs in for the first time, so in a situation that the machine is restarted the LAPS admin could not unlock the drive if its never been logged in. For our new machines we can add to the work flow to log into the user for the first time to create the token, but for the machines already been deployed it would be great if there is a way to authenticate the user as a filevault user remotely without touching each machines.

I would use sysadminctl but the LAPS admin is the only local admin so it cannot authenticate itself as a secure user, so I am wondering if there is a solution for this issue.

N/A